[Snort-users] Snort isn't logging to snort.log but is to snort.alert
ccie6862 at ...131...
Sun Apr 25 18:14:11 EDT 2010
Thanks for the tip - I've made the changes.
Also, I found why the snort.log wasn't being used. The snort.conf file had the following:
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.unified, limit 128
I have no idea how the snort.log was being created, as it was no where in the configuration file; however snort.unified has always been used in addition to the snort.alert and (until recently) snort.log.
Everything is back to normal.
--- On Sun, 4/25/10, Joel Esler <jesler at ...1935...> wrote:
> From: Joel Esler <jesler at ...1935...>
> Subject: Re: [Snort-users] Snort isn't logging to snort.log but is to snort.alert
> To: "ccie 6862" <ccie6862 at ...131...>
> Cc: "Snort-users at lists.sourceforge.net" <Snort-users at lists.sourceforge.net>
> Date: Sunday, April 25, 2010, 2:05 PM
> You should not output from snort
> using thr output database line. You should output using
> output unified and then use barnyard to read the unifies
> file an output to database.
> Joel Esler
> Sent from my iPhone
> On Apr 25, 2010, at 2:30 PM, ccie 6862 <ccie6862 at ...131...>
> > Last night I upgraded snort from 2.8.4 to 18.104.22.168. In
> the process of going over everything, I noticed that I had
> never uncommented the "output database" line. I added a line
> to the "preprocessor frag3_engine" to eliminate some noisy
> alerts and a couple lines to threshold.conf.
> > Up to this point, snort was logging OK. Now, snort
> only is logging to the snort.alert.### file but not the
> snort.log.### file. I don't see any problems in the
> /var/log/messages file, and I'm not really sure how to
> figure out what's wrong.
> > I'd be very grateful if anyone can point me in the
> right direction.
> > I have another question about barnyard, which is also
> installed. Does the "output database" have to be uncommented
> in the snort configuration given I'm running barnyard? From
> reading the documentation, I believe barnyard is duplicating
> entering the data into mysql; however, I configured this
> based on some how-to's for installing snort and barnyard.
> > Thank you.
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
More information about the Snort-users